The SME Security Brief - Issue #4

You're reading The SME Security Brief, practical IT, cyber security and technology advice for Irish and UK businesses. No jargon. No scare tactics. Just what you need to know, every week.

If someone forwarded this to you, you can subscribe at thesmesecuritybrief.com.

Governments on both sides of the Irish Sea have spent years studying how businesses get breached. They have looked at thousands of incidents, spoken to hundreds of organisations, and worked with security experts to identify the controls that would have prevented the vast majority of attacks.

The result? A surprisingly short list of fundamentals.

Ireland follows the NIS2 framework, the EU's updated Network and Information Security directive. The UK operates its own equivalent called Cyber Essentials, a government endorsed certification scheme backed by the National Cyber Security Centre and built around five core security controls

The details differ slightly. The names differ. But the core message from both is almost identical: most successful cyberattacks exploit basic security gaps that are entirely preventable.

Not sophisticated zero-day vulnerabilities. Not nation state level hacking. Basic gaps. Unpatched software. Weak passwords. No multi-factor authentication. Accounts with more access than they need.

Here is the uncomfortable truth, if your business cannot confidently tick the fundamentals on either of these frameworks, you are in the same position as thousands of SMEs that have been breached in the last twelve months.

The good news? Most of these controls cost very little to implement. Some cost nothing at all.

What you should do this week:

Whether you are in Dublin or Derby, Belfast or Birmingham, these are the five areas both NIS2 and Cyber Essentials point to as the foundation of a secure business. Think of this as your baseline checklist.

1. Firewalls
Every device connecting to the internet in your business should be protected by a firewall. Most modern routers include one, but it needs to be switched on and correctly configured. If your IT provider has never specifically discussed your firewall setup with you, ask them about it this week.

2. Secure configuration
Devices and software should not be left on default settings. Default passwords must be changed. Unnecessary features and services should be disabled. This is one of the most overlooked controls in SMEs, and one of the easiest for attackers to exploit.

3. User access control
Staff should only have access to the systems and data they actually need to do their job. An accounts team member does not need access to your HR files. A sales person does not need admin rights on the company server. Review who has access to what, and remove anything that is not needed.

4. Malware protection
Antivirus and anti-malware software should be installed, up to date, and actively running on every device used for work, including personal devices if staff use them to access business systems. Microsoft Defender, included with Windows, is a solid baseline if properly configured.

5. Patch management
Software updates exist primarily to fix security vulnerabilities. Delaying them is one of the most common reasons businesses get breached. Enable automatic updates wherever possible, and have a process in place to ensure updates are applied promptly across all devices.

If you can genuinely say yes to all five, you are already ahead of the majority of SMEs. If you have gaps, you now know exactly where to focus.

Even if you are based in Ireland and Cyber Essentials is not your framework, the Cyber Essentials self-assessment questionnaire available on ncsc.gov.uk is one of the clearest, most practical security checklists available for any small business.

It asks straightforward questions across the five control areas above, and it forces you to think concretely about your setup rather than in vague generalities. It takes about 30 minutes to work through and gives you a clear picture of where your gaps are.

For UK businesses, completing the self-assessment and achieving Cyber Essentials certification is increasingly expected by larger clients and is required for many government contracts. It costs from around £300 to certify, and the process of preparing for it will improve your security regardless of whether you submit for the certificate.

For Irish businesses, working through the same questionnaire as a self-audit is genuinely useful. Think of it as a free gap analysis.

Search "Cyber Essentials self assessment" on ncsc.gov.uk to find it. No registration required to read through the questions.

Irish businesses: The NCSC Ireland has adopted the CyFun (Cyberfundamentals Framework) as its recommended self-assessment tool, available directly at ncsc.gov.ie/CyFun. It starts at a "Small" level designed for businesses with limited technical knowledge and scales up from there. If you are in Ireland, this is your equivalent starting point.

Five questions. Be honest with yourself:

If you answered no or "I think so" to any of these, that is your starting point.

The businesses that get hit hardest are rarely the ones that ignored everything. They are usually the ones that did some things well but left a few basics unaddressed. Attackers do not need a wide-open door. They just need one gap.

The frameworks both governments have landed on are not complicated. They are not expensive. They are just the things that, done consistently, close the gaps that attackers rely on.

Start with the five controls above. One at a time if you need to. Just start.

See you next week.